Jump to navigation Jump to search
!!! Choose proper TLP color ** WHITE information - Unlimited distribution allowed ** ** GREEN information - Community-wide distribution allowed ** ** AMBER information - Limited distribution allowed ** ** RED information - Personal for Named Recipients Only ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** !!! Fill in advisory number, title, date, and URL !!! Title should be prepended by the criticality rating (e. g., CRITICAL, HIGH, ...) !!! If applicable, a CVE number or the like should be included !!! The title should be used as mail subject as well EGI CSIRT ADVISORY [EGI-ADV-YYYYMMDD] Title: CRITICAL Local Root Vulnerability in the Linux Kernel (CVE-YYYY-NNNN) [EGI-ADV-YYYYMMDD] Date: Month DD, YYYY Last update: Month DD, YYYY URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/EGI-ADV-YYYYMMDD Introduction ============ !!! Give a brief (one paragraph, three to five sentences) description !!! of the vulnerability, containing at least !!! + general nature of the vulnerability !!! + affected systems (broadly) !!! + whether PoC/live exploits exist !!! + mitigation status (broadly) !!! + patch status (broadly) !!! + deadlines, if any !!! Technical details go in the next section !!! Fictive example below: On 2010-11-22, a linux kernel vulnerability (CVE-2010-9999) was disclosed. The vulnerability allows local users to gain root privileges; affected distributions include RHEL 5, SL 5, SLC 5. No live exploit is known to exist; however, proof-of-concept code is public. Vendor patches are not available yet, mitigation is theoretically possible but of little practical value. EGI CSIRT considers this to be a CRITICAL vulnerability; either workarounds or patches MUST be in place on running resources by 2010-11-29T21:00+01:00 (Monday, November 29, 21:00 CET). Details ======= !!! Technical details !!! + vulnerability details !!! + PoC/exploit details !!! Fictive example below: In kernel version 2.6.20, a buffer overflow in the VFS stack was introduced, allowing an attacker with local access to execute arbitrary code by creating a file with a carefully chosen name. In principle, the vulnerability is independent of the underlying file system used; however, to actually exploit the vulnerability, a file name with a length of at least 36 characters must be used. Proof-of-concept code is public but does not run any malicious code. An attacker can easily build a working exploit based on this code, though. Mitigation ========== !!! Details and instructions on how to mitigate, if available !!! If possible and sensible, include command lines to be used !!! Fictive example below: Theoretically, it is possible to work around this vulnerability by preventing regular users from writing to a file system, for example by mounting all file systems read-only. Another possibility is to use only filesystems that do not support file names longer than 35 characters, for instance FAT (not VFAT). Finally, it is possible to set the set_vulnerable parameter of the virtual filesystem to 0; however, this slows down file system accesses by a factor of 100. The parameter may be set with the following command as root: --- echo 0 > /proc/vfs/set_vulnerable --- The current state can be queried with this command: --- cat /proc/vfs/set_vulnerable --- Recommendations =============== !!! EGI CSIRT recommendations !!! Again repeat the deadline, if any !!! Fictive example below: Immediately apply vendor patches as they become available. All running resources MUST be either patched or otherwise have a work-around in place by 2010-11-29T21:00+01:00. Vendor patches are already announced for these distributions: * Ubuntu * RHEL5 * SL5 * SLC5 * CentOS5 References ========== !!! Any references to the vulnerability !!! Include links to vendor pages with patches as they become available !!! Fictive example below: Ubuntu kernel update: https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-November/999999.html RHEL5 update: https://rhn.redhat.com/errata/RHSA-2010-9999.html Timeline ======== !!! Add timeline information as it becomes available YYYY-MM-DD 2014-04-08 EGI and SVG alerted to this Publicly disclosed vulnerability 2014-04-08 Acknowledgement from the EGI SVG 2014-04-08 EGI SVG and CSIRT consider 'Critical' 2014-04-08 Alert issued with 7 day deadline 2014-04-09 Revised adding additional information and clarification.